Page 1 of 1
SSL3: "dh key too small" with news.tweaknews.eu
Posted: June 14th, 2015, 6:00 am
by BrokenClockwork
After updating from Ubuntu 14.04 to 14.10 (later to 15.04) I am getting now this error when connecting to my Usenet server via SSL:
[Errno 111] Failed to connect: [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')]-
1@news.tweaknews.eu:443
dh refers to the Diffie-Hellman key. I would assume this is related to the Logjam vulnerability, but how can I fix this? I assume this needs to be fixed inside Sabnzbd, generate a new key. But I don't know how.
Thanks in advance,
BrokenClockwork
Re: SSL3: dh key too small
Posted: June 14th, 2015, 8:49 am
by sander
FWIW: I can reproduce it on my Ubuntu 15.04 with SABnzbd 0.8.x git version (and SABnzbd 0.7.20) and python 2.7.9
Code: Select all
2015-06-14 15:44:59,446::INFO::[downloader:399] 1@news.tweaknews.eu: Initiating connection
2015-06-14 15:44:59,562::INFO::[newswrapper:241] Failed to connect: [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')] 1@news.tweaknews.eu:443
My dpkg.log:
Code: Select all
sander@superstreamer:/var/log$ cat dpkg.log | grep libssl | grep upgrade
2015-06-12 16:38:55 upgrade libssl-doc:all 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
2015-06-12 16:38:59 upgrade libssl-dev:amd64 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
2015-06-12 16:39:00 upgrade libssl1.0.0:amd64 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
So an upgrade on 2015-06-12 (two days ago)?
Synaptic shows this information for libssl:
Code: Select all
openssl (1.0.1f-1ubuntu11.4) vivid-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
OK, clear.
So isn't this a problem on the side of tweaknews? My SSL to sslreader.eweka.nl works sucesfully.
Re: SSL3: dh key too small
Posted: June 14th, 2015, 9:51 am
by sander
And, yes, the problem is on the side of news.tweaknews.eu. At least that's how I interpret this:
https://weakdh.org/sysadmin.html says for news.tweaknews.eu:
Code: Select all
Warning! This site uses weak Diffie-Hellman parameters. Your site is vulnerable to attack and may stop working in Chrome, Firefox, Safari, and Internet Explorer with upcoming patches. You need to generate new, 2048-bit Diffie-Hellman parameters.
IP Connected TLS Insecure DHE_EXPORT DHE Chrome
176.124.71.34 No Insecure Parameters (short-bit) Insecure Parameters (short-bit)
So contact them?
Re: SSL3: "dh key too small" with news.tweaknews.eu
Posted: June 15th, 2015, 10:14 am
by sander
I contacted Tweaknews. Their answer:
We have updated our certificate. A recent update caused SSL connections to fail on certain systems. Please try again. Our apologies for any inconvenience.
I checked news.tweaknews.eu via
https://weakdh.org/sysadmin.html, and it says "2048-bits". Good.
I checked in SABnzbd, and no error anymore. Good.
So it seems Tweaknews has solved their DH problem.